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(54) A method for privately accessing data in a computer system usable by different users and 
related computer system 

(57) A computer system comprises a central unit op- 
erated by an operating system and capable of storing 
user-related data which are spedfk; to a given user in a 
data storage. The system further comprises: 

a transceiver unit connected to said central unit and 
capable of communicating with a portable object 
through a communk:atlon link, 

means for controlling said transceiver unit so as to 
periodically derive from a communication with a 
portable object a session key associated with a user 
bearing or carrying said portable object and for pro- 
viding said session key to the central unit, 

means for storing said session key, 

means for encrypting with said session key all user- 
related data before they are written in a computer 
storage, and 

means for decrypting with said session key the us- 
er-related data after they are read from said com- 
puter storage. 

The present invention also provides a method for 
private data access. 

The invention guarantees privacy in the use of pub- 
lic PCs such as In hotels, airports, etc. 
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Description 

[0001 ] The present invention relates to a system and 
nnethod for avoiding that third parties can aocess private 
data related to a given user on a computer system that 
can be used by several people. 

Background of the invention 

[0002] In many places, such as hotel business cent- 
ers, airport lounges or other public or private premises, 
it is frequent that a given computer system such as an 
ordinary personal computer may be used on demand by 
different guests or other people for many activities such 
as running internal software of the PC, browsing on the 
Internet, etc. 

[0003] In such environments, when a first user stops 
using the PC, It Is quite possible that a subsequent user 
will be able to access data which are stored in the PC 
(typically in mass storage such as a hard disk drive an/ 
c in a working memory such as a random access mem- 
(RAM)) and whteh were private to the previous user. 
[0004] One known way of avoiding this risk of privacy 
violation is to ask each user, before he or she stops his 
or her work on the equipment, to delete all information 
containing private data from the computer hard disk and 
from the RAM. Such information might include data files 
created by the user (text files, etc.), related cache files, 
operating system swap files, internet cookies, intemet 
cache files, internet browser history files, etc. 
[0005] Such approach has three main drawbacks. 
First of all. it is quite a lengthy and tedious operation as 
there may be a great number of such files, cookies or 
other information, and that each has to be individually 
located and properly deleted. Secondly, in the very com- 
plex directory structure of modern operating systems, 
some of these files, cookies or other infomialion might 
be quite difficult to locate, and there is a significant risk 
that the user will inadvertently leave some of these on 
the hard disk or in RAM. Thirdly, even if files have been 
properly deleted, sofhvare tools are known whk:h are ca- 
pable of "undeleting' previously deleted files, so that in 
any case privacy cannot be fully guaranteed. 

Summary of the invention 

[0006] An objective of the present invention is to en- 
sure that, when several people become successive us- 
ers of a single piece of computer equipment such as a 
public personal computer, no data conceming a given 
user, whether these data are personal or corporate, will 
be accessible to subsequent users after said given user 
has ceased to use the computer or physically gone away 
from the computer for whatever reason. 
[0007] Another objective of the present invention is to 
provide a computer equipment wherein any type of stor- 
age which might contain data whk:h are private to a user 
are accessible only as far as said user is located in ad- 



equate vicinity of said equipment. 
[0008] Still another objective of the present invention 
is to preserve such privacy without requiring from the 
user any specinc manipulation on ihe computer equip- 
5 mem. 

[0009] Accordingly, the present invention provkles in 
a first aspect a method for privately accessing data in a 
computer system which may be used by different users 
and which is capable of writing and reading in a compu- 
10 ter storage user-related data during use of the computer 
by a given user, comprising the following steps: 

providing a user with a portable object having stored 
therein a unkiue data, said object and said compu- 
15 ter system being capable of communicating with 
each other via a communication link, 

at the computer system, periodically polling for a 
portable object through said communication link to 
^ check whether a portable object is present, 

in Ihe affinmative, deriving from the communication 
between saki computer system and said portable 
object a session key, 

25 

storing said session key in the computer system, 

before the computer writes user-related data in the 
computer storage, encrypting said user-related da- 
3o ta with said session key, and 

after the computer has read user-related data in 
said computer storage, decrypting said user-related 
data. 

35 

[0010] Preferably the method further comprises the 
step of deleting at least one of said stored session key 
and said stored encrypted user-related data when the 
polling and deriving steps provide a session key whteh 

40 is different from the currently stored session key. 

[0011 ] Preferably also, the method further comprises 
the step of deleting at least one of said stored session 
key and said stored encrypted user-related data when 
the polling and deriving steps provide no session key 

45 [0012] It is further advantageous thai said deletion 
step deletes both said stored session key and said 
stored encrypted user-related data. 
[0013] Preferably, said step of deriving a session key 
comprises running a challenge-response protocol be- 

so tween said computer system and said portable object 
so as to generate in the computer system a session key 
which uniquely corresponds to the unique data stored 
in the portable object. 

[0014] Said computer storage preferably comprises a 
55 TTiass memory unit and also possibly a working memory 
of the computer. 

[0015] Said portable object may be comprised of a 
dedcated. token or badge having a storage circuit for 
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said unique data and a transceiver circuit, or a user- 
owned electronic equipment having a storage circuit for 
said unique data and a transceiver circuit. 
[0016] Such user-owned equipment is for instance 
selected from the group comprising mobile phones and 
palmtop computer equipment. 

[0017] In such case, said providing step preferably 
comprises loading into the storage circuit of said user- 
owned electronic equipment said unique data. 
[0018] In a second aspect, the present invention pro- 
vides a computer system, comprising a central unit op- 
erated by an operating system and capable of storing 
user-related data which are specific to a given user in a 
data storage, further comprising: 

a transceiver unit connected to said central unit and 
capable of communicating with a portable object 
through a communication link, 

means for controlling said transceiver unit so as to 
periodically derive from a communication with a 
portable object a session key associated with a user 
bearing or carrying said portable object and for pro- 
viding said session key to the central unit, 

means for storing said session key^ 

means for encrypting with said session key all user- 
related data before they are written in a computer 
storage, and 

means for decrypting with said session key the us- 
er-related data after they are read from said com- 
puter storage. 

[0019] Said computer storage advantageously com- 
prises a mass memory unit and also possibly a working 
memory. 

[0020] In a convenient embodiment, the communica- 
tion link between the portable object and the computer 
is wireless. 

Brief description of the drawings 

[0021] The present invention will now be described in 
greater detail with reference to the appended drawings, 
in which: 

Fig. 1 IS a block-diagram of a computer system with 
a privacy scheme according to a preferred embod- 
iment of the present invention, and 

Fig. 2 is a flow chart on the bask: operative steps 
performed by this cornputer system. 

Detailed description of the preferred embodiment 

[0022] With reference to Fig. 1 , there is shown a conv 



puter equipment, in the present species a personal com- 
puter, having a central unit 100 and a display screen 
200. 

[0023] The central unit 1 00 houses a microprocessor 
5 110 which can access a random access memory RAM 
120 via appropriate buses B and a mass storage unit 
such as a hard disk 130 through an appropriate driver 
140. 

[0024] Other components of the equipment have not 
10 been shown but are well known to the one skilled in the 
art. 

[0025] The computer equipment also includes a wire- 
less transceiver unit 1 50 connected to the mcroproces- 
sor 110 through a suitable I/O circuit 160 

15 [0026] The transceiver unit is capable of wireless 
communication with a portable object 300 having a suit- 
able wireless communicailon circuit 310. In a preferred 
embodiment, unit 150 andcircuitSIOof the portable ob- 
ject 300 communicate with each other according to the 

20 known "Bluetooth" standard, although other types of 
wireless communications may be used. 
[0027] It should be noted here that, although the 
present embodiment provides a wireless communica- 
tion link between unit 150 and portable object 300, which 

25 is particularly convenient for the user because no spe- 
cific manipulation ot said portable object is required, oth- 
er types of communications may be used. For instance, 
the technologies of magnetic cards or chip cards togeth- 
er with appropriate card readers, or else the technology 

30 of transponders (closed magnetic coupling) may be 
used. 

[0028] The portable object 300 also includes a mem- 
ory 320 In which is stored a unk^ue data from which a 
so-called "session key" wlH be provided to the computer 

3s as described later 

[0029] Unit 150 and portable object 300 are capable 
of communicating on the wireJess link so that the ses- 
sion key may be safely detenmined from the contents of 
the portable object memory 320 and provided to the mi- 

40 croprocessor 110 through circuits 310 and 1 50 accord- 
ing to a specified key transmission protocol, 
[0030] In a preferred embodiment, the unique data 
contained in the portable object is the session key itself, 
and such protocol can be a challenge/response proto- 

^5 col, such as the known Diffle-Hellman exchange key 
protocol, by which the session key is transmitted to the 
microprocessor 1 1 0 with a high degree of security (using 
an adequate communication key also kept by the port- 
able object and the microprocessor), and stored in an 

so appropriate location ("session key store") in the RAM of 
the computer equipment. 

[0031] The operating system of the computer equip- 
ment may bo a standard one such as "Windows' (trade- 
mark). However, such operating system has embedded 
55 therein a software unit in the form of a key polling routine 
that causes the transceiver unit 1 50 to poll for a session 
key present in a portable object within the reach of said 
unit 150 at given time intervals. The operating system 



3 



BNSOOCID; <eP .l_> 



5 



EP 1 223 495 A1 



6 



also encloses an encryption/decryption tool capable of 
using the session key received from a portable object 
for selectively encrypting with said session key all data 
or selected data which are to be written in the hard disk 
storage 130, before data writing effectively occurs, and 
for decrypting with said key all data stored on disk 1 30 
whrch had been previously enoypted with the same 
session key. 

[0032] Any suitable known key-based encryption/de- 
cryption scheme may be used. 

[0033] Preferably, all data whteh are encrypted before 
being written on the disk are stored in a specific disk 
area reserved for that purpose, while the remainder of 
the disk is read from and written into in the normal way. 
[0034] Preferentially, such encryption/decryption 
scheme is also used when writing data (selected parts 
or all) into RAM and when reading from RAM said en- 
crypted data. 

[0035] Additionally, the disk storage has a special vol- 
atile area (e.g. a partition or other disk apace subdivi- 
sion) in which all encrypted data are written, while the 
remaining areas of the disk are used in the normal way. 
Such special volatile area of the disk can be erased up- 
on spccifk: instructions from the microprocessor 110 In 
partk^ular circumstances as will be described in the fol- 
lowing. 

[0036] The basic operation of the above-described 
computer equipment will now be described with specific 
reference to Fig. 2. 

[0037] Preliminarily, it should be noted that any per- 
son who wants to use the computer equipment is first 
given by an authorizing personnel a portable object 300 
including a specific session key or unique data from 
whfch the computer will be capable of deriving a session 
key. Such portable object can be a token, badge or card 
incorporating circuits 310 and 320. The object may be 
a battery-powered unit received or embedded in a suit- 
able small housing such as a card-shaped housing, or 
it may be a so-caited transponder unit powered at least 
partially with the electromagnetic energy received from 
transceiver unit 150. 

[0038] Alternatively, the portable object may be an 
equipment owned by that person, such as a mobile 
phone, a palmtop computer, etc., capable of communi- 
cating with the transceiver unit 150 and in a memory of 
whk:h a session key has been stored by the authorizing 
personnel though the same communication link or a dif- 
ferent one (e.g. infrared port). 

[0039] First of all, when .the computer equipment is 
turned on, booting occurs so that all programs and data 
necessary for the operating system to run are loaded 
into RAM in the conventional way (block 400 in Fig. 2). 
After this basic booting, a session key polling routine 
402 is executed so that the microprocessor can check, 
through transceiver unit 150. whether a portable object 
storing a session key is within the range of said unit 150. 
This in turn reveals whether a user bearing a portable 
object 300 is or not in the vicinity of the computer equip- 



ment. 

[0040] If such polling reveals that no portable object 
is within range, then the computer equipment clears the 
session key store in step 404 (or keeps is cleared), dis- 
5 ables the encryption/decryption mechanism at step 405 
(or keeps it disabled), and then executes again at spe- 
cific intervals (e.g. around every minute) as determined 
by a waiting step 406 the session key polling routine 
402. 

ro [0041] Alternatively or in addition, the session key 
polling routine can be caused to be immediately execut- 
ed after an extended rest period as soon as a candidate 
user causes an action on an input device (such as a key- 
board, a mouse or the like) of the computer equipment. 

IS [0042] When the session key polling routine detects 
the presence of a portable object storing a session key, 
the key exchange protocol is conducted in step 408 so 
that a session key Ks is provided to the computer equip- 
ment after being derived from the unique data contained 

20 in object 300 (which can be the session key itself or dif- 
ferent data). 

[0043] After session key Ks has been provided, the 
computer detenmines in step 410 whether a session key 
was already present in the computer session key store. 
25 If yes. the computer then reads the session key. denoted 
Kso. from the store in step 416. 

[0044] Then the computer executes the step of com- 
paring Ks and Kso, in order to determine whether the 
same user as In the previous polling, or a different user, 

30 is in front of the computer 

[0045] The first situation is detenmined by the fact that 
the session key has not changed, i.e. Ks - Kso. in such 
case, the user may use the computer with the encryp- 
tion/decryption mechanism kept enabled in step 414. 

35 [0046] The second situation is detenmined by the fact 
that the session key has changed, i.e. Ks;* Kso. In that 
case, the previous session key Kso is deleted from the 
session key store (step 420) and the new session key 
Ks is loaded into session key store (step 412), after 

40 which the encryption/decryption mechanism using ses- 
sion key store contents is enabled (step 41 4). 
[0047] Therefore, whether a session key was present 
or not in the session key store when a new user arrives 
In the vicinity of the computer equipment, such new user 

45 may use the equipment in a way which he will perceive 
as the normal way, except that all user-created, user- 
modified or user-related data in the computer equipment 
will be written onto the hard disk or into RAM after having 
been encrypted with the session key stored in session 

50 key store, and that, In order to allow the same user to 
read such data from the hard disk or the RAM, all such 
read data arc decrypted using the same session key 
[0048] During this stage of computer use by the user, 
the session key polling routine keeps i^eing executed at 

55 Specific time intervals. 

[0049] As long as the same user, is in the vicinity of 
the equipment, the same session key is provided again 
in step 408, so that data keep being encrypted and de- 
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crypted with the same session key. 
[0050] Now when the session key polling routine 402. 
404 results in providing a session key Ks which is dif- 
ferent from the previous one Kso, then the process goes 
from step 418 to step 420, In which: 

the specific storage area of the hard disk, containing 
data encrypted with Kso, is deleted (or blanked or 
emptied): 

the data which had been stored in RAM after having 
also been encrypted with Kso are deleted (or 
blanked or emptied) 

[0051] Alter step 420. step 412 is executed whereby 
the new session key Ks is stored in session key store 
(so that, in this case, the previous session key Kso is 
crashed). 

[0052] It should be noted here that, when a user who 
was using the computer equipment leaves the equip- 
ment for a moment, then the next polling step will merely 
lead to clearing the session key store in step 404, with- 
out deleting the user data. This means that, when the 
same user comes back again, the associated session 
key is loaded again in session key store through steps 
402, 408, 410. 412, SO that the user may resume work 
without having lost any data. 

[0053] In a preferred embodiment, data which are en- 
cr/pted before being written in the RAM are all stored 
in a given section of the computer dynamk; RAM which 
has a special refresh scheme. More particularly, the re- 
fresh cycles of this given section of the RAM are enabled 
only as long as a valid session key resides in the com- 
puter As soon as a session key change is detected in 
step 41 8, the clearing step 420 at the RAM level is per- 
fonned by the refresh cycles of said given RAM section 
being disabled, so that all data previously contained 
therein are cleared. 

[0054] In this manner, the data which are private to 
the user who has just been replaced by a subsequent 
user are totally unavailable to said subsequent user. 
[0055] It should be emphasized here that, by deleting 
both the data encrypted with a session key (in step 420) 
and the session key itself (in step 412) when a user is 
replaced by a different user the privacy scheme accord- 
ing to the present invention offers a double security lev- 
el. 

[0056] It should also be noted that providing a session 
key to the computer through a challenge/response 
scheme perfonned with the portable object has the ad- 
vantage that replay-based fraudulent attack of the pri- 
vacy scheme is strictly avoided. 

[0057] According to another feature of the present in- 
vention, the portable object and/or the computer equip- 
ment is advantageously provided with some display 
means (e.g. a light or the like on the portable object and/ 
or a security message in a specific display area on the 
computer display screen) to indicate to the user the sta- 



tus of the privacy scheme. Such display ts advanta- 
geously controlled at steps 414 and 405. 
[0058] There has been described a method for ensur- 
ing the privacy of user data stored in a computer system 

5 during a user session, comprising: using unique data 
stored in a portable object with which users of the sys- 
tem are provkJed to derive a session key from a com- 
munication between said computer system and said ob- 
ject; encrypting user data with said session key prior to 

10 siorage in the system and decrypting said user data 
when it is retrieved from storage during a user session; 
deleting said session key when the user session is over, 
so that the stored user data is no longer accessible. 
[0059] The present invention can be applied to any 

'5 computer equipment intended to be used by different 
users wherein privacy should be ensured for each indi- 
vidual user. 



20 Claims 

1 . A method for privately accessing data in a computer 
system which may be used by different users and 
which is capable of writing and reading in a compu- 
2s tor storage user-related data during use of the com- 
puter by a given user, comprising the following 
steps: 

providing a user with a portable object having 
30 stored therein a unique data, said object and 

said computer system being capable of com- 
municating with each other via a communica- 
tion link, 

35 at the computer system, periodically polling for 

a portable object through said communk:alion 
link to check whether a portable object is 
present, 

40 in the affirmative, deriving from the communi- 

cation between said computer system and said 
portable object a session key, 

storing said session key In the computer sys- 
45 tem, 

before the computer writes user- related data in 
the computer storage, encrypting said user- re- 
lated data with said session key, and 

so 

after the computer has read user-related data 
in said computer storage, decrypting said user- 
related data. 

55 2. A method according to claim 1 , further comprising 
the step of deleting at least one of said stored ses- 
sion key and said stored encrypted user-related da- 
ta when the polling and deriving steps provide a 
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session key which is different fronn the currently 
stored session key. 

3. A method according to claim 2. wherein said dele- 
tion step deletes both said stored session key and 
said stored encrypted user-related data. 

4. A method according to any one of claims 1 to 3, fur- 
ther comprising the step of deleting at least one of 
said stored session key and said stored encrypted 
user-related data when the polling and deriving 
steps provide no session key. 

5. A method according to claim A, wher;ein said dele- 
tion step deletes only said stored session key. 

6. A method according to any one of claims 1 to 5, 
wherein said step of deriving a session key conn- 
prises running a challenge-response protocol be- 
tween said computer system and said portable ob- 
ject so as to generate in the computer system a ses- 
sion key which uniquely corresponds to the unique 
data stored in the portable object. 

7. A method according to any one of claims 1 to 6, 
wherein said computer storage comprises a mass 
memory unit. 

8. A method according to claim 7, wherein said com- 
puter storage also comprises a working memory of 
the computer. 

9. A method according to any one of claims 1 to 8, 
wherein said portable object is comprised of a ded- 
icated token or badge having a storage circuit for 
said unique data and a transceiver circuit. 

10. A method according to any one of claims 1 to 8, 
wherein said portable object is comprised of a user- 
owned electronic equipment having a storage cir* 
cuit for said unique data and a transceiver circuit. 

11 . A method according to claim 10, wherein said user- 
owned equipment is selected from the group com- 
prising mobile phones and palmtop computer 

equipment. 

12. A method according to claim 10 or 11 , wherein said 
providing step comprises loading into the storage 
circuit of said user-owned electronic equipment 
said unique data. 

13. A method according to any one of claims 1 to 12, 
wherein said communication link is a wireless com- 
munication link. 

14. A computer system, comprising a central unit oper- 
ated by an operating system and capable of storing 



user-related data which are specific to a given user 
in a data storage, further comprising: 

a transceiver unit connected to said central unit 
^ and capable of communicating with a portable 

object through a communicatk>n link. 

means for controlling said transceiver unit so 
as to periodically derive from a communication 
^0 with a portable object a session key associated 

with a user bearing orcarrying said portable ob- 
ject and for providing said session key to the 
central unit, 

means tor storing said session key, 

means for encrypting with said session key all 
user-related data before they are written in a 
computer storage, and 

20 

means for decrypting with said session key the 
user-related data after they are read from said 
computer storage. 

15. A computer system according to claim 14. further 
comprising: 

means for deleting at least one of said stored 
session key and said stored encrypted data 
30 when the transceiver unit provides to the cen- 

tral unit a session key which is different from a 
previous one. 

16. A computer system according to claim 15, wherein 
35 said deletion means are capable of deleting both 

said stored session key and said stored encrypted 
data. 

17. A computer system according to any one of claims 
40 1 4 to 1 6, further comprising: 

means for deleting at least one of said stored 
session key and said stored encrypted data as 
soon as the transceiver unit does not provide 
to the central unit the same session key within 
a given timeframe. 

18. A computer system according to claim 1 7, wherein 
said deletion means are capable of deleting only 

so said session key. 

19. A computer systom according to any one of claims 
14 to 18, wherein said computer storage comprises 
a mass memory unit. 

55 

20. A computer system according to claim 1 9, wherein 
said computer storage also comprises a working 
memory. 
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21. A computer system according to any one of daims 
14 to 20, wherein said session key Is obtained 
through a challenge-response protocol between 
said transceiver unit and said portable object. 

5 

22. A computer system according to any one of claims 
1 4 to 21 , wherein said communicalion link is a wire- 
less communication link. 

23. A method for ensuring the privacy of user data io 
stored in a computer system during a user session, 
comprising: 

using unique data stored In a portable object 
with which users of the system are provided to 
derive a session key from a communication be- 
tween said computer system and said object; 

encrypting user data with said session key prior 
to storage in the system and decrypting said us- 20 
er data when It Is retrieved from storage during 
a user session: 

deleting said session key when the user ses- 
sion is over, so that the stored user data is no 
longer accessible. 
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